Cross-site scripting (XSS) vulnerabilities -- though being known for more than ten years -- are still one of the most commonly-found web application vulnerabilities in the wild. Among all the defenses proposed by researchers, one widely-adopted approach is called Content Security Policy (CSP) -- which has been standardized by W3C and adopted by all major commercial browsers, such as Google Chrome, Internet Explorer, Safari, and Firefox. Though being successful in the client-side adoption, the server-side adoption of CSP is worrisome: According to a recent Internet-scale survey of 1M websites, at the time of the study, only 2% of top 100 Alexa websites enabled CSP, and 0.00086% of 900,000 least popular sites did so. This project is creating a backend-language-agnostic approach to help CSP's deployment at the server side, which automatically transforms existing real-world web contents to comply with CSP. The key insight of the project is that although web scripts may occur in different formats, contain real-time, user-related information, or be generated dynamically, these scripts are originated from the server and generated from certain templates. Therefore, the project can group scripts based on their similarities and infer the templates behind the scripts. Specifically, there are two types of scripts to handle: inline scripts and dynamic scripts. For the former, the project generalizes the script structures -- such as for loop and if statement -- as well as the type information of each object as templates and only allows scripts that matches the templates. For the latter, in addition to the matching with templates, the project instantiates these templates in runtime.
EAGER: Real-time Enforcement of Content Security Policy upon Real-world Websites